[ipv6hackers] IPv6 Security research

Marco Ermini marco.ermini at gmail.com
Wed Mar 21 15:52:39 CET 2012

On 20 March 2012 22:11, Eric Vyncke (evyncke) wrote:
> Jumping in the middle of a thread...
> If you are local: ping ff02::1 is good enough
> Else IPfix (or variant such as flexible netflow) can be used to collect
> source IPv6 address (indirect way to detect which nodes are using
> routers)
> Else ND cache scanning on routers (an entry is inserted upon receipt of
> any RS)

That's exactly what I asked to all of the major vendors that we have
in our shop to implement in their scan engines. For the moment, I am
falling on dumb ears. They simply don't have any roadmap for anything
like that in the future.

What they mostly seems to do, is to basically abruptly copy nmap and
implement a (more or less) nice web interface and CISO reports on it
(don't get me wrong these are needed in an "enterprise environment").
Nmap is not that behind with IPv6, and therefore these "enterprise
tools" don't have where to copy from.

The only one on that market that actually may work are products which
incorporates IPS/IDS and Netflow along with nmap. They would allow to
do just like Eric explained, collect RA/ND/RS traffic and scan the
detected hosts. The problem is that actual IPS products seem to work
the other way around - they rely on scanners to detect the hosts and
then adjust their policies according to what has been discovered,
which obviously can't work in an IPv6 network.

Marco Ermini
root at human # mount -t life -o ro /dev/dna /genetic/research
"Jesus saves... but Buddha makes incremental back-ups!"

More information about the Ipv6hackers mailing list